Home Forums SQL Server 2008 T-SQL (SS2K8) How to call a batch file to execute from an SP RE: How to call a batch file to execute from an SP

  • March 24, 2013 at 7:24 pm

    #1600153

    opc.three (3/24/2013)

    The fact is that a system with xp_cmdshell disabled has less security exposures, has less vulnerabilities and is more auditable than a system where it is enabled.

    OK.

    I'm an intruder on your system.

    If I'm connected using non-systemadmin credentials I cannot execute any call to xp_cmdshell anyway, and I cannot get privileges associated with it.

    So, it does not really matter if it's disabled or enabled - I won't be able even to figure out that.

    Now, if I'm connected as a systemadmin. First thing I will do is

    EXEC sp_configure 'xp_cmdshell', 1

    Immediately followed by

    RECONFIGURE WITH OVERRIDE

    Voilà!

    xp_cmdshell is enabled, no matter what state it was 3 ms ago.

    So, where those promissed "less security exposures, has less vulnerabilities"?

    _____________
    Code for TallyGenerator